The ICO is currently running a consultation on changes to the way it deals with data protection complaints. They are seeking to formalise the practice of simply ‘logging’ data protection complaints for information, which effectively means they won’t be investigated. In my experience, the ICO has been sporadically taking this approach for a while – but it mostly seems to have arbitrary, depending largely on an individual case officer’s appetite for doing investigative work (I previously wrote about how the ICO bizarrely refused to investigate my complaint about ‘consent or pay’, which they are now investigating after I sent them a legal letter threatening a judicial review).
One positive thing from this is that they will start monitoring which controllers receive a certain number of complaints and open investigations. The full consultation can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/08/ico-consultation-on-draft-changes-to-how-we-handle-data-protection-complaints
My full response to the consultation can be found below.
7 To what extent to do you agree that ‘our proposed approach to complaint handling’ clearly explains how we’ll handle complaints?
Disagree
If disagree / strongly disagree / not sure, please explain:
“If the complaint is assessed as requiring further investigation, it would be allocated to the appropriate team.”
This is not clear. The ICO’s use of the word ‘investigation’ currently has multiple meanings. A formal investigation by the ICO’s investigations directorate is wholly different from an ‘informal’ investigation by PADPCS case officers, this is because such case officers are unlikely to be authorised to take formal enforcement action.
8 Is there anything else you think we should include in our proposed approach to complaint handling?
Yes
If ‘Yes’, please explain:
The framework needs to clarify when a complaint will be referred to the investigations directorate for a formal investigation, which may result in formal regulatory action.
Furthermore, the framework should introduce a presumption in favour of writing to the organisation with guidance on the topic of a complaint if the complainant requests this, rather than merely recording a complaint for information only (which is ineffective and does nothing to address the concerns of the complainant at the relevant time). This should be done even if the ICO then closes the complaint because it does not match the prioritisation criteria. Simply writing to an organisation that a complaint has been received and including relevant guidance can help resolve the situation more easily, because the organisation will be more inclined to look at the issue again. Recording a complaint for information only should be reserved to cases where the complaint discloses no reasonable grounds for a contravention of the law.
The ICO should also make clear the difference between informal action being taken, and formal regulatory action being taken. For each type of action, the approach should set out the staff that is authorised to take that action.
The ICO should also start making use of ‘fixed’ penalties for common contraventions of the data protection legislation that can be issued by ordinary case officers. For example, a fixed penalty of £1,000 should be issued whenever an organisation has not responded to a subject access request on time (organisations could receive a warning instead of a fine the first time a complaint is upheld). Case officers should be able to use templates for this that are created by the legal department. If an organisation were to decline the fixed penalty, they should then be referred for a formal investigation for a monetary penalty to be issued following the ICO’s normal fining guidance. This approach is time-effective, will introduce some much-needed stick to the ICO’s data protection complaint approach, and help ensure organisations do more to prevent complaints escalating to the ICO.
The current lax approach of taking no formal action in over 99.9% of complaint cases isn’t working, as evidenced by the stark increase in those complaints despite the abysmal process for complainants.
9 To what extent do you agree that the proposed framework document clearly explains how we will handle complaints.
Disagree
Please explain your response:
The framework doesn’t set out when a complaint will be referred to the investigations directorate for a formal investigation to take place. “investigations” by case officers aren’t real investigations as they don’t have the power to issue formal enforcement action.
10 Is there anything else you think we should include in this proposed framework document?
Yes
If ‘Yes’, please explain:
The framework needs to set out when a complaint will be referred to the investigations directorate for a formal investigation to take place.
11 To what extent do you agree with the ‘criteria’ we’ll consider when assessing complaints:
Strongly disagree
Please explain your response:
‘Are we already aware of the data protection issue?’ This isn’t a clear factor. In any event, if the ICO is already aware of an issue and receives further complaints about this issue, this should be a factor in favour of investigating further, as clearly multiple people are being affected by it.
‘Is the organisation currently taking steps to respond to the complaint? Do those steps seem adequate?’ This should make clear that the ICO will set a deadline for a response and may then investigate if the complainant deems the response to be inadequate.
“DATA PROTECTION HARMS”
Low harm: the provided examples and criteria do not reflect a low level of harm. If a data subject has suffered fear, distress, annoyance or frustration, this consitutes non-material damage under the UK GDPR. It is normally indicative of at least a moderate level of harm. A low level of harm would normally only be applicable if a person has not suffered ANY damage.
“Someone receives a promotional email from a retailer. They have previously unsubscribed from emails and are mildly annoyed that they have received another”
This example reflects, at the very least, a moderate level of harm. The facts in this example indicate far wider compliance issues that result in people receiving spam in breach of ePrivacy legislation that parliament specifically enacted to prevent this. If one person continues to receive marketing emails AFTER UNSUBSCRIBING (!!) then likely many other people are too.
The ICO formalising this as ‘low’ harm will also likely make it harder for the ICO to enforce against PECR breaches. Organisations that have been fined will be able to argue in the Tribunals that, by the ICO’s own admission, the harm caused from such breaches is ‘low’.
“This could also include instances where the impact is more serious but only takes place once or is of short duration.” This is plainly wrong: if the impact is ‘more serious’, it cannot possibly be a ‘low’ level of harm. It is also contradicted by the text under the ‘moderate level of harm’ heading: “Harm may also be moderate if the impact on the person affected is substantial but is only sustained for a short time and it is unlikely to continue or happen again.”
Again, the example provided about the mental health absence note is wholly inappropriate. The disclosure of a note containing special category data to the colleagues of an employee plainly is not ‘low’ harm, even if the disclosure is removed shortly afterwards. This is particularly the case if other people have read the note and it concerns mental health, which likely exacerbates the harm for the affected person. The provided example is, at the very least, moderate harm. Only if the note is promptly removed and the controller can prove that it wasn’t read by anyone, could ‘low’ harm be in the realm of possibilities here.
It is also notable ‘moderate’ level of harm includes a similar example of underperformance information about an employee being inappropriately shared with others, whilst that data does not constitute special category data. I would agree this example constitutes a moderate level of harm. But clearly, if it does, then inappropriately disclosing special category data about an employee should also be at least a moderate level of harm.
None of the harm categories make any reference to material damage under the UK GDPR (i.e. financial damage).
The data protection harms should also consider (potential) harms to people other than the complainant.
The current data protection harms document, in my view, further breaches the ICO’s duty under section 108 Deregulation Act 2015. This is because it fails to consider the economic harms caused to other organisations because of the alleged infringements (e.g. when infringements provide an unfair competitive advantage, or allow the organisation to make financial savings compared to a state of compliance).
12 Is there anything else you think we should include in our criteria?
Yes
If ‘Yes’, please explain:
The criteria as set out in the regulatory action policy should also be applied here, this could be done by referring to the RAP in the framework.
For example: has the data protection issue caused an advantage (financial or otherwise) to the organisation, or a disadvantage to other relevant organisations?
13 To what extent do you agree with the proposed plans of what we would do with the information we collect from complaints?
Agree
If ‘Yes’, please explain:
Finally, the ICO will actually start doing something with complaints it doesn’t take formal enforcement action on at the time.
The thresholds should be clearly published on the ICO’s website.
14 Is there anything else you think we should consider when using the information we collect from complaints?
Yes
If ‘Yes’, please explain:
Taking formal enforcement action.
15 Do you agree with the identified list of the affected groups in Section 5.4 of the impact assessment?
Agree
16 Are there any other groups of stakeholders that you think will be affected by the proposed data protection complaints handling approach?
No
If so, please provide details below:
17 Do you agree with the assessment of costs and benefits outlined in the impact assessment?
Don’t know / unsure
18 Are there any other costs and/or benefits that you think should be considered?
Yes
If yes, please provide details below and any evidence you might have to illustrate this:
Even further decreased confidence in the ICO due to it not even looking into more individual data protection complaints (let alone taking appropriate enforcement action).
19 Do you think the proposed data protection complaints handling approach will result in any additional costs or benefits for you / your organisation? (These could be financial or non-financial)
Cost(s)
20 Please describe the types of additional costs and / or benefits you / your organisation might incur, including a rough estimate where possible.
If applicable, please describe the types of additional costs and/or benefits you/ your organisation might incur, including a rough estimate where possible.:
Further costs due to people challenging perverse outcomes for a complaint to be put in the bin without further investigation or action.
21 Is there any other evidence or information on potential impacts that you would like us to consider?
No
22 Please provide any further general comments or suggestions you may have about the proposed approach.
Please provide any further general comments or suggestions you may have about the proposed approach.:
“Proposed data protection harms scale”
Low harm: the provided examples and criteria do not reflect a low level of harm. If a data subject has suffered fear, distress, annoyance or frustration, this consitutes non-material damage under the UK GDPR. It is normally indicative of at least a moderate level of harm. A low level of harm would normally only be applicable if a person has not suffered ANY damage.
“Someone receives a promotional email from a retailer. They have previously unsubscribed from emails and are mildly annoyed that they have received another”
This example reflects, at the very least, a moderate level of harm. The facts in this example indicate far wider compliance issues that result in people receiving spam in breach of ePrivacy legislation that parliament specifically enacted to prevent this. If one person continues to receive marketing emails AFTER UNSUBSCRIBING (!!) then likely many other people are too.
The ICO formalising this as ‘low’ harm will also likely make it harder for the ICO to enforce against PECR breaches. Organisations that have been fined will be able to argue in the Tribunals that, by the ICO’s own admission, the harm caused from such breaches is ‘low’.
“This could also include instances where the impact is more serious but only takes place once or is of short duration.” This is plainly wrong: if the impact is ‘more serious’, it cannot possibly be a ‘low’ level of harm. It is also contradicted by the text under the ‘moderate level of harm’ heading: “Harm may also be moderate if the impact on the person affected is substantial but is only sustained for a short time and it is unlikely to continue or happen again.”
Again, the example provided about the mental health absence note is wholly inappropriate. The disclosure of a note containing special category data to the colleagues of an employee plainly is not ‘low’ harm, even if the disclosure is removed shortly afterwards. This is particularly the case if other people have read the note and it concerns mental health, which likely exacerbates the harm for the affected person. The provided example is, at the very least, moderate harm. Only if the note is promptly removed and the controller can prove that it wasn’t read by anyone, could ‘low’ harm be in the realm of possibilities here.
It is also notable ‘moderate’ level of harm includes a similar example of underperformance information about an employee being inappropriately shared with others, whilst that data does not constitute special category data. I would agree this example constitutes a moderate level of harm. But clearly, if it does, then inappropriately disclosing special category data about an employee should also be at least a moderate level of harm.
None of the harm categories make any reference to material damage under the UK GDPR (i.e. financial damage).
The data protection harms should also consider (potential) harms to people other than the complainant.
The current data protection harms document, in my view, further breaches the ICO’s duty under section 108 Deregulation Act 2015. This is because it fails to consider the economic harms caused to other organisations because of the alleged infringements (e.g. when infringements provide an unfair competitive advantage, or allow the organisation to make financial savings compared to a state of compliance).
23 Are there any terms or sections in the proposed approach you found unclear or overly technical?
No